39

I have a Dynamic website in which i have to make secure from clickjacking attack. In database getting these type of values while searching i was know little more about clickjacking but exactly is what not getting so Please anyone who knows help me out.

Community
  • 1
  • 1
shashank
  • 466
  • 1
  • 4
  • 15
  • Thomas is that the only way to protect from clickjacking attack. Just by adding global asax file and code. – shashank Aug 24 '15 at 11:17

2 Answers2

89

X-FRAME-Options

Add this code in global.asax file.

protected void Application_BeginRequest(object sender, EventArgs e)
{
  HttpContext.Current.Response.AddHeader("x-frame-options", "DENY");
}

OR

simply add this to <system.webServer> in your Web.Config file

<!--Clickjacking security-->
    <httpProtocol>
      <customHeaders>
        <add name="X-Frame-Options" value="DENY" />
      </customHeaders>
    </httpProtocol>
    <!--End clickjacking-->

This small snippet adds a http header called x-frame-options to your http responses and prevents your site being loaded in an iframe in "modern" browsers.
There are 3 values possible to X-Frame-Options:

  1. DENY: do not allow any site to frame your application
  2. SAMEORIGIN: only allow same application site to frame
  3. ALLOW-FROM: only allow specific domain to frame your application
TAHA SULTAN TEMURI
  • 4,031
  • 2
  • 40
  • 66
Musakkhir Sayyed
  • 7,012
  • 13
  • 42
  • 65
  • x-frame-options is deprecated and should be replaced with content-security-policy (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy). It seems that DENY still works fine in most browsers, but ALLOW-FROM is problematic. – HotN Jul 06 '17 at 21:10
  • @hotn Can you please provide the documentation as to the deprecation? MDN and other resources do not report this as deprecated. – Itanex Oct 31 '18 at 18:36
  • @Itanex With my comment being over a year ago, I don't recall exactly where I read that. However, I have now found some conflicting info regarding x-frame-options. OWASP has documentation claiming its deprecation (https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Limitations_2), while this SO answer implies that MDN documentation has changed since I commented (https://stackoverflow.com/a/25617678/764371). – HotN Oct 31 '18 at 20:20
  • @HotN Thanks for the links, that clears that up. Guess I will have to show this to my security team since they bugged my code for not implementing this. :) – Itanex Nov 01 '18 at 22:12
  • Adding this line HttpContext.Current.Response.AddHeader("x-frame-options", "DENY"); in global.asax add one more header with DENY when tested in postman. Do we first remove the header and add? – Balasubramanian Ramamoorthi Oct 10 '21 at 13:51
3

Try Best-for-now Legacy Browser Frame Breaking Script

One way to defend against clickjacking is to include a "frame-breaker" script in each page that should not be framed. The following methodology will prevent a webpage from being framed even in legacy browsers, that do not support the X-Frame-Options-Header.

In the document HEAD element, add the following:

First apply an ID to the style element itself:

<style id="antiClickjack">body{display:none !important;}</style>

And then delete that style by its ID immediately after in the script:

<script type="text/javascript">
   if (self === top) {
       var antiClickjack = document.getElementById("antiClickjack");
       antiClickjack.parentNode.removeChild(antiClickjack);
   } else {
       top.location = self.location;
   }
</script>
Stacked
  • 6,892
  • 7
  • 57
  • 73
funkyCatz
  • 119
  • 1
  • 2